Acceptable Use of IT Resources

SUMMARY

The Acceptable
Use of Information Technology Resources Policy establishes the principles that
underpin the University’s approach to protect its essential Information
Technology (IT) interests without inhibiting the use of IT Resources. The
Procedure outlines the rules for and explains:

Conditions of Use

Access to Information Technology
Resources

Responsibilities of Authorised
Users

Misuse of IT Resources

Liability

Monitoring and Surveillance of IT
Resources

Further
information concerning ‘misuse’ is provided within Schedule 1 Misuse.

POLICY

1 PURPOSE

The purpose of the Acceptable Use of Information Technology Resources Policy is to protect the essential interests of the University without inhibiting the use of Information Technology Resources, which are intended for the greater benefit of students, staff and the University generally.

2 BACKGROUND

Macquarie University provides computing, networking, information and communication resources to the University community to support teaching, research, learning, administration and other University business. Access to these Information Technology Resources is granted to members of the University community.

This policy provides a number of key principles that aids the University in protecting its significant investment in Information Technology Resources, whilst meeting its legal obligations. This policy is supported by the Acceptable Use of Information Technology Resources Procedures which are intended to ensure a clear and consistent understanding and implementation of this policy.

3 SCOPE

This Policy applies to Authorised Users of Macquarie University’s Information Technology Resources at all campuses and locations of the University. This Policy also applies to the use of information that may be accessed via the University’s Information Technology Resources.

To the maximum extent possible, this policy applies to all use of Information Technology Resources. This policy is not intended to, and does not, operate so as to exclude the operation of any other University policy, law, statute or regulation.

4 DEFINITIONS

Commonly defined terms are located in the University Glossary. The following definitions apply for the purpose of this Policy: 4.1 Authorised User
General authorisation to use Information Technology Resources is granted upon enrolment, employment, official affiliation with the University, or as a member of a participating eduroam organisation. Access to specific resources may be further restricted depending on the University's requirements.

Authorised Users include all other persons including members of the general public, who have been granted access to, and use of, the University’s Information Technology Resources. Authorised users will need to obtain accounts and passwords to enable access to University IT resources.

A member of the public reading public University web pages from outside the University is not by virtue of that activity alone considered to be a User.

4.2 Eduroam
Eduroam is a TERENA (Trans-European Research and Education Networking Association) registered trademark, and is an abbreviation of educational roaming. In context of this policy, eduroam is a location independent wireless network, which allows users from participating organisations to use their normal username and password to access network services via other participating organisations.

4.3 Information Technology Resources
The Acceptable Use of Information Technology Resources policy governs all Information Technology Resources and related physical resources provided by the University to assist or support teaching, learning, research and administrative activities. This includes, but is not limited to, the use of:

all computers and all associated data networks, internet access, email, hardware, data storage, computer accounts, all OneID systems, media, software (both proprietary and those developed by the University) and telephony services.

all physical spaces using information technology and designated for teaching, study, research and administration across the University, such as computing laboratories, study areas and learning spaces.

Information Technology services provided jointly, or as part of a joint venture between the University and a research centre, school, institute affiliated with the University, a subsidiary organisation owned by the University or any other partner organisation.

Information Technology services provided by third parties that have been engaged by the University, and

equipment owned or leased by users when used to connect to the University networks or third party services that have been engaged by the University.

4.4 IT Information Technology.

5 POLICY STATEMENT

All Authorised Users will be lawful, efficient, economical and ethical in their use of the University’s Information Technology Resources.

Authorised Users, shall so far as possible:

respect the rights of all users;

ensure Information Technology Resources and related physical resources are used for purposes authorised by the University;

ensure the security and integrity of Information Technology Resources; and

ensure Information Technology Resources are used in a way which complies with all relevant laws, subordinate legislation of the University, and contractual obligations governing the use of Information Technology Resources.

The Acceptable Use of It Resources Procedures under this Policy set rules for and explain:

Conditions of Use

Access to Information Technology Resources

Responsibilities of Authorised Users

Misuse of IT Resources

Liability

Monitoring and Surveillance of IT Resources.

Exceptions to the implementation of this policy must be approved by the Chief Information Officer in consultation with the relevant university stakeholders. Nothing in this policy requires the University to provide a particular set of Information Technology Resources to the University Community.

2 SCOPE

This Procedure applies to Authorised Users of Macquarie University’s Information Technology resources at all campuses and locations of the University.

To the maximum extent possible, this Procedure applies to all use of Information Technology Resources.

3 DEFINITIONS

Commonly defined terms are located in the University Glossary. The following definitions apply for the purpose of this Procedure.

In this Procedure unless a contrary intention appears–

‘Authority’ means –

in relation to the IT Resources generally, the Chief Information Officer or the Chief Information Officer’s delegate

in relation to a local facility, the relevant head of department, Executive Dean, or deputy vice–chancellor, or a person nominated by the relevant head of department, Executive Dean, or Deputy Vice–Chancellor;

‘authorised purposes’ means purposes associated with work or study in the University, provision of services to or by the University, which are approved or authorised by the relevant officer or employee of the University in accordance with University policies and procedures or pursuant to applicable contractual obligations, limited personal use, or any other purpose authorised by the relevant Authority;

‘Chief Information Officer’ means the person holding or acting in that position in the University, or any other person nominated by the vice‐chancellor to exercise that role for the purpose of this Procedure.

Director of Human Resources means the person holding or acting in that position in the University, or any other person nominated by the Vice-Chancellor to exercise that role for the purpose of this Procedure;

‘illegal material’ means material the creation, transmission, storage, downloading or possession of which contravenes or if done in New south Wales would contravene the criminal law as it applies in any jurisdiction in Australia;

does not directly or indirectly impose an unreasonable burden on any IT Resources;

does not unreasonably deny any other user access to any facilities;

does not contravene any law in any jurisdiction in Australia or any University statute, regulation, policy or procedure; and

in the case of staff, does not interfere with the execution of duties;

‘misuse’ has the meaning set out in Schedule 1 – ‘Misuse’ to this Procedure;

‘staff’ means staff of the University;

‘student’ includes a person who was a student at the time of any alleged breach of this Procedure, and a person who is a student for the purposes of Student Discipline;

‘University copyright officer’ means the officer designated by the Vice-Chancellor as responsible for overseeing copyright issues within the University;

4 RESPONSIBILITIES AND REQUIRED ACTIONS

The following are the Responsibilities and Required Actions that underpin the Acceptable Use of IT Resources Policy.4.1 Conditions of Use
The University makes available its Information Technology Resources for the purposes of learning, teaching, research, administration and other University business.

It is a condition of access to the University’s Information Technology Resources that Authorised Users accept:

to comply with all the provisions of this Procedure;

agree to abide by any conditions of use applicable to the use of IT Resources as determined by the Chief Information Officer from time to time and

that their actions and usage may be monitored and records retained.

The University plans to participate in eduroam;

All users of eduroam facilities at participating organisations will be subject to the provisions of the policies of their home organisation, policies of the visited organisation, and the Australian eduroam Policy.

Participating organisations set their own access policies, which may be more restrictive than Macquarie University’s Acceptable Use of IT Resources Policy.

4.2 Access to Information Technology Resources:
General authorisation to use Information Technology resources is granted upon enrolment, employment, official affiliation with the University, or as a member of a participating eduroam organisation.

Access to Information Technology Resources outside the purposes of learning, teaching, research, administration and other University business, except for limited personal use, is unauthorised. Unauthorised access to Information Technology Resources is a breach of the Acceptable Use of IT Resources Policy.

The Chief Information Officer or his or her delegate may impose such restrictions or conditions on the granting of authorisation to any person as he or she thinks fit, including:

the mandatory use of a username and password, or other authentication method;

restrictions or conditions as to the facilities the person is authorised to use; and

the provision of acknowledgments by the person to the effect that he, she or it will abide by this Procedure and any applicable conditions of use, including:

written acknowledgments signed by the user; and

requirements that the Authorised User click on or enter an acknowledgment as a condition of access to any IT Resources.

Only Authorised Users are permitted access to University Information Technology Resources. System access to the Information Technology Resources is managed and granted by the Macquarie IT Department.

Access to some faculty-controlled or division-controlled Information Technology Resources is granted by authorised faculty or divisional staff. Access to specific resources may be further restricted depending on the University's requirements.

Access to Information Technology Resources may be restricted or withdrawn if there is a reasonably formed suspicion or evidence of misuse of Information Technology Resources, a breach of any Macquarie University Rule, Regulation, Policy or the law.

usage of the unique computer accounts which the University has authorised for the user's benefit;

selecting and keeping a secure password for each of these accounts, including not sharing passwords and logging off after using a computer.

using the ICT facilities in an ethical and lawful way, in accordance with Australian laws and relevant local laws where a student is based in another country;

ensuring that except for limited personal use, IT Resources are only used for authorised purposes.

notifying the University copyright officer if they become aware that facilities are being used by any person to infringe the intellectual property rights of another person, or that the effect of any use of any facilities is to infringe such rights.

co-operating with other users of the IT Resources to ensure fair and equitable access;

observing the obligations under these Procedures;

observing the Terms of Service or Acceptable Use policies of third party products or services that have been engaged by the University.

4.4 Misuse of IT Resources
Misuse of Macquarie University’s IT Resources is a breach of the Acceptable Use of IT Resources Policy.

Any member of the University community who becomes aware of possible misuse of Information Technology Resource must report it to either:

their supervisor or manager;

their Organisational Unit Head;

the Director of Human Resources; or

the Chief Information Officer.

Misuse of IT Resources could result in revocation of access to IT Resources (see 4.2).

Macquarie University may refer serious matters or repeated breaches to the Chief Operating Officer, Director of Human Resources, the Head of the relevant Organisational Unit or to the appropriate external authorities which may result in civil or criminal proceedings.

Macquarie University has a statutory obligation to report illegal activities and corrupt conduct to appropriate authorities and will cooperate fully with the relevant authorities.

4.5 Liability
To the extent allowed by law, the University is not liable for loss, damage or consequential loss or damage arising directly or indirectly from ‐

use or misuse of any Information Technology Resources;

loss of data or interference with data stored on any Information Technology Resources;

interference with or damage to equipment used in conjunction with any Information Technology Resources;

loss of data, access to IT Resources or interference with files arising from its efforts to maintain the IT Resources; or

any acts taken or decisions made in accordance with this Procedure.

4.6 Monitoring and Surveillance of IT Resources
The Chief Information Officer or their delegate may at any time monitor, inspect, access or examine any University IT Resources for any purpose permitted by the Acceptable Use of IT Resources policy, any other University policy, rule or regulations and for the purposes of:

facilitating the efficient operation and management of the University IT Resources;

protecting the integrity of IT Resources;

investigating alleged misuse;

auditing the assets of the University; or

logging and Information Security.

Specific provisions relating to Security Monitoring and Surveillance are outlined in Information Security Procedure – Monitoring and Surveillance of IT Resources.

SCHEDULE 1

MISUSE

1 PURPOSE

The purpose of this schedule is to define misuse in relation to the Acceptable Use of IT Resources Policy and Acceptable Use of IT Procedure.

2 SCHEDULE

‘Misuse’ includes, but is not limited to:

(a) use for any purpose other than an authorised purpose;
(b) use that causes or contributes to a breach of any provision of a law, statute, regulation, subordinate instrument or code of practice or conduct applying to the University or to which users are subject;
(c) use that contravenes a University statute, regulation, rule, policy or procedure;
(d) creating, transmitting, storing, downloading or possessing illegal material;
(e) the deliberate or reckless creation, transmission, storage, downloading, or display of any offensive or menacing images, data, or other material, or any data capable of being resolved into such images or material, except in the case of the appropriate use of Information Technology Resources for properly supervised University work or study purposes;
(f) use which constitutes an infringement of any intellectual property rights of another person;
(g) communications which would be actionable under the law of defamation;
(h) communications which misrepresent a personal view as the view of the University;
(i) deliberate or reckless undertaking of activities resulting in any of the following‐
(j) the imposition of an unreasonable burden on the University’s Information Technology Resources;
(k) corruption of or disruption to data on the University’s Information Technology Resources, or to the data of another person or organisation;
(l) disruption to other Authorised Users; or
(m) introduction or transmission of any hostile or intrusive software, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, scareware, and other malicious programs in any form including hyperlinks, executable code, scripts, active content, and other software into the University’s Information Technology Resources.
(n) circumventing authentication or access control measures, security or restrictions upon the use of any Information Technology Resources or account, including the unauthorised distribution or use of tools for compromising security, including but not limited to password guessing programs, cracking tools, packet sniffers or network probing tools;
(o) spread betting online without prior written approval from the Chief Information Officer. Permission can only be granted for the purposes of research and in consultation with the relevant Head of Department or Executive Dean.
(p) gambling or, other than participation in approved football-tipping and like competitions, where the primary purpose is social rather than financial;
(q) accessing pornography without prior written approval from the Chief Information Office(r) Permission can only be granted for the purposes of research and in consultation with the relevant Head of Department or Executive Dean.
(r) use of any Information Technology Resources for sending junk mail or unsolicited bulk messages without University approval, for-profit messages, or chain, hoax or scam letters or messages;
(s) use of any Information Technology Resources for the purposes of any private business whether for profit or not, or for any business purpose other than University business, without prior approval from the Chief Information Officer or the Vice-Chancellor;
(t) subscribing to list servers, mailing lists and other like services for purposes other than University work or study or limited personal use;
(u) participation in online conferences, chat rooms, discussion groups or other like services for purposes other than University work or study or limited personal use;
(v) unauthorised accessing of information, including but not limited to unauthorised access to servers, hard drives, email accounts or files;
(w) unauthorised reserving of, or exclusion of others from using, any Information Technology Resources;
(x) breaching the University’s Privacy Policy;
(y) performing an act which will interfere with the normal operation of any Information Technology Resources;
(z) unauthorised use of the University logo;
(aa) representing that a message or material comes from another person without that person’s authorisation;
(bb) knowingly running, installing or distributing on any Information Technology Resources a program intended to damage or to place excessive load on any Information Technology Resources, including without limitation programs in the nature of computer viruses, Trojan horses and worms;
(cc) failure to comply with the conditions of use imposed by an external provider when that provider's equipment or services are used in conjunction with any Information Technology Resources;
(dd) providing a password or other means of authentication for any Information Technology Resources to another person without prior written approval from the Chief Information Officer, or failing to take reasonable care to protect a password or other means of authentication for any Information Technology Resources from being accessed or used by another person;
(ee) failing to exercise reasonable care in the use, management and maintenance of Information Technology Resources, including but not limited to taking reasonable steps to ensure security and integrity of Information Technology Resources, including protection of equipment, systems and data from theft, unauthorised use or viruses;
(ff) failing to comply with any reasonable instruction given by or with the authority of the University copyright officer to remove or disable access to material;
(gg) aiding, abetting, counselling or procuring a person to do any of the things referred to in paragraphs (a) to (ee);
(hh) inducing or attempting to induce a person to do any of the things referred to in paragraphs (a) to (ee);
(ii) being in any way, directly or indirectly, knowingly concerned in, or a party to, any of the things referred to in paragraphs (a) to (ee);
(jj) conspiring with others to do any of the things referred to in paragraphs (a) to (ee); and
(kk) attempting to do any of the things referred to in paragraphs (a) to (ee).